Last week, the Health Care Industry Cybersecurity (HCIC) Task Force (the “Task Force”) published a pre-release copy of its report on improving cybersecurity in the health care industry. The Task Force was established by Congress under the Cybersecurity Act of 2015. The Task Force is charged with addressing challenges in the health care industry “when securing and protecting itself against cybersecurity incidents, whether intentional or unintentional.”

The Task Force released its report mere days before the first worldwide ransomware attack, commonly referred to as “WannaCry,” which occurred on May 12. The malware is thought to have infected more than 300,000 computers in 150 jurisdictions to date. In the aftermath of the attack, the U.S. Department of Health and Human Services (HHS) sent a series of emails to the health care sector, including a statement that government officials had “received anecdotal notices of medical device ransomware infection.” HHS warned that the health care sector should particularly focus on devices that connect to the Internet, run on Windows XP, or have not been recently patched. As in-house counsels understand, the ransomware attack raises a host of legal issues. For example, a recent Covington alert addresses insurance coverage for ransom attacks.

Disclosure: Ms. Feldman is one of the Covington & Burling attorneys that has been involved in advising and representing me in response to cease and desist threats from Bronx-Lebanon Hospital Center and iHealth Solutions.